===========================================================
== Subject:     Use of uninitialized variable in privatekey_from_file()
==
== CVE ID#:     CVE-2025-4878
==
== Versions:    All libssh versions
==
== Summary:     The privatekey_from_file() uses an
==              uninitialized variable which can result in
==              return of an invalid private key.
==
===========================================================

===========
Description
===========

The privatekey_from_file() uses an uninitialized variable under certain
conditions, such as if the file specified by the filename argument doesn't
exist. This causes the code to return an invalid private key.

This defect, in turn, might cause signing failure. The bug might also cause a
Use-After-Free or corrupt the heap.

Note that privatekey_from_file() is a deprecated function and shouldn't be used
anymore!

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/
Additionally, libssh 0.11.2 have been issued
as security releases to correct the defect.  SSH administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C (3.3)

==========
Workaround
==========
None

=======
Credits
=======

Originally reported by Ronald Crane (Hackerone: tdp3kel9g) via Zippenhop LLC
Patches provided by Jakub Jelen from the libssh team.

==========================================================
== The libssh team
==========================================================